AWS Security Readiness Checklist

by Mark Moore on January 16, 2019

This AWS Security Readiness Checklist is intended to help organizations evaluate their applications and systems before deployment on AWS. This evaluation is based on a series of best practices and is built off the Operational Checklists for AWS¹.

The checklist consists of three categories:

Basic Operations Checklist: Helps organizations take into account the different features and services that their applications have access to.
Enterprise Operations Checklist: Helps organizations identify key elements and action items that need to be taken before migrating to the AWS cloud.
Auditing Security Checklist: Helps organizations evaluate the security features that might be required for their specific industry governing bodies.

Basic Operations Checklist

The Basic Operations Checklist consists of a set of high-level questions that organizations need to address in order to get ready to adopt different AWS services. These questions are:

Do you use AWS Identity and Access Management (IAM)?
Do your applications work with AWS dynamic IP addressing?
Do you regularly check processes for patching, updating, and security?
Do you use Amazon EBS volumes?
Do you regularly backup Amazon EBS volumes?
Do you regularly backup Amazon EC2 instances?
Do you use Elastic Load Balancing?
Do you use appropriate user access credentials?
Do you use security groups and have a hierarchical network topology?
Do you use “CNAME” records to map AWS DNS names?
Do you remove sensitive and confidential information before sharing Amazon Machine Images?
Do you have a plan for incorporating AWS Trusted Advisor reports for AWS operational reviews?
Have you performed performance and user testing before hosting AWS applications?

Enterprise Operations Checklist

The Enterprise Operations Checklist consists of an in-depth operational review based on best practices that need to be followed to develop a successful cloud strategy.

Sponsorships Available

The Enterprise Operation Checklist items are further classified into different sections such as:

Billing and Account Governance: This ensures that the organization has developed an adequate billing system and that it has an appropriate account management system for multiple accounts.
Security and Access Management: This ensures that the organization has a strategy and process in place for network and data access.
Asset Management: This ensures that the organization has a strategy for maintenance, identification, and tracking of AWS resources.
Application Resilience: This ensures that the AWS solution implemented meets the resilience and availability requirements of the application.
Application DR/Backup: This ensures that the AWS solution implemented meets the backup and disaster recovery requirements of the application.
Monitoring and Incident Management: This ensures that the organization has the necessary tools to integrate AWS resources into its incident management process.
Configuration and Change Management: This ensures that the organization has an adequate change and configuration management strategy for the AWS resources.
Release and Deploy Management: This ensures that the organization has a system in place for the integration, configuration, and release of applications.

Auditing Security Checklist

The Auditing Security Checklist is a new checklist that is updated periodically to address new security controls and features in AWS. The checklist items in this category are:

Root account protection: Ensure that your access keys are secure and well protected.
CloudTrail protection: Ensure that you have set up roles and users and have granted limited access per the need of the personnel.
Administrative role access: Ensure that limited access is given to administrative personnel per IAM policies.
Familiarity with AWS Security Token Services (STS): Ensure that you are trained with STS services that allow you to provide credentials with limited privilege.
Familiarity with AWS Detailed Billing: Ensure that you are trained with AWS Detailed Billing that provides you with the hourly cost incurred for each resource.
Encrypted EBS volumes: Ensure that all data and disk memory is using the AES-256 algorithm.
VPC Flow Log activation: Ensure that you collect both incoming and outgoing IP traffic on the network in your VPCs.
EC2 Key Pairs protection: Ensure that you are following AWS best practice to manage access keys.
Structured Security Groups: Ensure that a security group (virtual firewall) is controlling inbound and outbound traffic.
S3 Buckets Access: Ensure that no public access buckets are created and that they are using S3 Bucket or IAM policies.
Sensitive data encryption: Ensure that Server Side Encryption (SSE) is incorporated using the applicable bucket policy.
Data traffic encryption: Ensure that inbound and outbound traffic data is encrypted using S3 SSL endpoints.
Familiarity with S3 Lifecycle Policies: Ensure that you are using S3 versioning to save, retrieve, and restore any previous version of an object stored in the Amazon S3 bucket.
S3 Access Logging: Ensure that S3 access logging is activated and that you are analyzing logs regularly. S3 logs will assist in security audits and will help analyze S3 usage bills and user behavior.

Having clearly established processes for operational security and conducting regular audits is the key to robust security. Following the steps outlined above will help to ensure a secure AWS environment and boost your organization’s overall security posture.

If you’re interested in finding out more about the Threat Stack Cloud Security Platform^® or would like to speak with one of our cloud security or compliance experts, please feel to book a demo.

AWS originally released its Operational Checklists for AWS in 2013 and has updated the copyright to 2016. As such it is still highly relevant and very much in use.